| 2.2 Ensure access to sensitive site features is restricted to authenticated principals only | CIS IIS 8.0 v1.5.1 Level 1 | Windows | ACCESS CONTROL |
| 4.2 Ensure HTTP Server Is Disabled | CIS Apple macOS 11.0 Big Sur v4.0.0 L1 | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.3 Ensure HTTP Server Is Disabled | CIS Apple macOS 10.15 Catalina v3.0.0 L1 | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.4 Ensure HTTP Server Is Disabled | CIS Apple macOS 10.14 v2.0.0 L1 | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.4 Ensure http server is not running | CIS Apple macOS 10.13 L1 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 4.8 Ensure Handler is not granted Write and Script/Execute - Applications | CIS IIS 10 v1.2.1 Level 1 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.9 Ensure 'notListedIsapisAllowed' is set to false | CIS IIS 7 L1 v1.8.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3 Ensure 'ETW Logging' is enabled | CIS IIS 8.0 v1.5.1 Level 1 | Windows | AUDIT AND ACCOUNTABILITY |
| 5.11 Ensure Access to Inappropriate File Extensions Is Restricted - 'httpd.conf FileMatch directive Require all denied' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.15 Ensure the IP Addresses for Listening for Requests Are Specified | CIS Apache HTTP Server 2.4 v2.2.0 L2 | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 8.3 Ensure All Default Apache Content Is Removed - 'httpd.conf Alias /icons/ /var/www/icons/ does not exists' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | CONFIGURATION MANAGEMENT |
| 8.3 Ensure All Default Apache Content Is Removed - 'httpd.conf Include conf/extra/httpd-autoindex.conf does not exists' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | CONFIGURATION MANAGEMENT |
| AS24-U1-000020 - The Apache web server must perform server-side session management. | DISA STIG Apache Server 2.4 Unix Server v3r2 | Unix | ACCESS CONTROL |
| AS24-U2-000020 - The Apache web server must perform server-side session management. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | ACCESS CONTROL |
| AS24-W1-000200 - The log information from the Apache web server must be protected from unauthorized deletion and modification. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W1-000200 - The log information from the Apache web server must be protected from unauthorized deletion and modification. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W1-000740 - The Apache web server must use a logging mechanism that is configured to provide a warning to the Information System Security Officer (ISSO) and System Administrator (SA) when allocated record storage volume reaches 75 percent of maximum log record storage capacity - SA when allocated record storage volume reaches 75% of maximum log record storage capacity. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-W2-000500 - The Apache web server must generate unique session identifiers that cannot be reliably reproduced. | DISA STIG Apache Server 2.4 Windows Site v2r2 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| DISA_STIG_Apache_Server-2.2_Windows_v1r13.audit from DISA APACHE 2.2 Server for Windows v1r13 STIG | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
| DISA_STIG_Apache_Site-2.4_Unix_v2r6.audit from DISA Apache Server 2.4 UNIX Site v2r6 STIG | DISA STIG Apache Server 2.4 Unix Site v2r6 | Unix | |
| DISA_STIG_EDB_PostgreSQL_Advanced_Server_v11_Windows_v2r4_OS.audit from DISA EDB Postgres Advanced Server v11 on Windows v2r4 STIG | EDB PostgreSQL Advanced Server v11 Windows OS Audit v2r4 | Windows | |
| DISA_STIG_Microsoft_Exchange_2013_Client_Access_Server_v2r2.audit from DISA Microsoft Exchange 2013 Client Access Server v2r2 STIG | DISA Microsoft Exchange 2013 Client Access Server STIG v2r2 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| DISA_STIG_Microsoft_Exchange_2013_Edge_Transport_Server_v1r6.audit from DISA Microsoft Exchange 2013 Edge Transport Server v1r6 STIG | DISA Microsoft Exchange 2013 Edge Transport Server STIG v1r6 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| DISA_STIG_MSSQL_2014_Instance-OS_v2r4.audit from DISA MS SQL Server 2014 Instance v2r4 STIG | DISA STIG SQL Server 2014 Instance OS Audit v2r4 | Windows | |
| DISA_STIG_MSSQL_2016_Instance-OS_v3r4.audit from DISA MS SQL Server 2016 Instance v3r4 STIG | DISA STIG SQL Server 2016 Instance OS Audit v3r4 | Windows | |
| DTOO179 - Office System - Documents must be configured to not open as Read Write when browsing. | DISA STIG Office System 2010 v1r13 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| IIST-SV-000210 - HTTPAPI Server version must be removed from the HTTP Response Header information. | DISA IIS 10.0 Server v3r3 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| IISW-SV-009999 - The version of IIS running on the system must be a supported version. | DISA IIS 8.5 Server v2r7 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Keep Alive Timeout setting value should be appropriately configured. | TNS IBM HTTP Server Best Practice | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| OH12-1X-000011 - OHS must have the LoadModule ossl_module directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | ACCESS CONTROL |
| OH12-1X-000012 - OHS must have the SSLFIPS directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | ACCESS CONTROL |
| OH12-1X-000013 - OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server - SSLProtocol | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | ACCESS CONTROL |
| OH12-1X-000013 - OHS must have the SSLEngine, SSLProtocol, and SSLWallet directives enabled and configured to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server - SSLWallet | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | ACCESS CONTROL |
| OH12-1X-000014 - OHS must have the SSLCipherSuite directive enabled to protect the integrity of remote sessions in accordance with the categorization of data hosted by the web server. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | ACCESS CONTROL |
| OH12-1X-000015 - OHS must have the SecureProxy directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | ACCESS CONTROL |
| OH12-1X-000017 - OHS must have the WebLogicSSLVersion directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | ACCESS CONTROL |
| OH12-1X-000018 - OHS must have the WLProxySSL directive enabled to protect the integrity of remote sessions when integrated with WebLogic in accordance with the categorization of data hosted by the web server. | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | ACCESS CONTROL |
| WA000-WI6040 IIS6 - A unique non-privileged account must be used to run Worker Process Identities. - 'AppPoolIdentityType Check' | DISA STIG IIS 6.0 Site Checklist v6r16 | Windows | ACCESS CONTROL |
| WA120 W22 - Administrative users and groups that have access rights to the web server must be documented. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
| WA230 W22 - The site software used with the web server must have all applicable security patches applied and documented. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
| WA00510 A22 - Web server status module must be disabled. | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | CONFIGURATION MANAGEMENT |
| WA00510 W22 - Web server status module must be disabled. | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | ACCESS CONTROL |
| WA00520 A22 - The web server must not be configured as a proxy server. | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WA00555 A22 - The web server must be configured to listen on a specific IP address and port - [::ffff:0.0.0.0]:80 | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | CONFIGURATION MANAGEMENT |
| WA00555 W22 - The web server must be configured to listen on a specific IP address and port. - 'Listen directive exists' | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | CONFIGURATION MANAGEMENT |
| WatchGuard : DDoS Prevention - Distributed Denial-of-Service Prevention - Per Server Quota | TNS Best Practice WatchGuard Audit 1.0.0 | WatchGuard | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG330 A22 - A public web server must limit email to outbound only - sendmail | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WG330 A22 - A public web server must limit email to outbound only - sendmail | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | |
| WG350 A22 - A private web server will have a valid DoD server certificate. | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | |
| WG350 W22 - A private web server must have a valid DoD server certificate. | DISA STIG Apache Site 2.2 Windows v1r13 | Windows | |
